:It shall be checked when client tries to reference the table. Not only SELECT command, it requires any operations that may read contents of tables, such as WHERE clause of DELETE, reference as a part of new value in UPDATE, and so on.

:It shall be checked when client tries to reference the table. Not only SELECT command, it requires any operations that may read contents of tables, such as WHERE clause of DELETE, reference as a part of new value in UPDATE, and so on.

Overview

History of Updates

The initial description of the definition of object classes are permissions are based on SELinux community's reference policy 20120725 revision. In case of newer policy adds or redefines them, we at least add a notation which revision is the minimum valid policy towards this description.

20120725

The initial description of the definition of object classes are permissions.

2013xxxx

db_materialized_view object class will be added.

List of object classes and permissions

List of object classes and permissions

common database

create, drop, getattr, setattr, relabelfrom, relabelto

db_database

access and common permissions

db_schema

search, add_name, remove_name and common permissions

db_table class

select

to be checked when client tries to reference tables.

update

to be checked when client tries to update rows of tables.

insert

to be checked when client tries to insert rows into table.

delete

to be checked when client tries to delete rows of table, including case of TRUNCATE command.

to be checked when client tries to refresh materialized view into the latest status

(operating system) process class

transition

to be checked when client's label is switched via trusted procedure

dyntransition

to be checked between older and newer label of client when its label is switched via sepgsql_setcon()

setcurrent

to be checked on the current label of client when its label is switched via sepgsql_setcon()

(operating system) file class

(*) Note that object class may be either of dir, lnk_file, chr_file, blk_file, sock_file or filo_file, instead of file, depending on the type of file node being referenced.

read

to be checked when user's operation requires to read contents of a particular file on local file-system

write

to be checked when user's operation requires to write contents of a particular file on local file-system

create

to be checked when user's operation requires to create a particular file on local file-system

getattr

to be checked when user's operation requires to reference properties of a particular file on local file-system

unlink

to be checked when user's operation requires to unlink a particular file on local file-system

rename

to be checked when user's operation requires to rename a particular file on local file-system

common database

Several basic permissions are common for any database object classes, expect for db_tuple class that represent rows in user tables.
Please also see the section of individual object classes regarding to definition of object class.

permissions

create

It shall be checked when user's operation tries to create a new database object being classified according to database object class.

A default security label shall be assigned on the new database object, then create permission shall be checked on the default label.

drop

It shall be checked when user's operation tries to drop an existing database object being classified according to database object class.

Unlike DAC checks, it shall be also applied on database objects being dropped in cascade.

getattr

It shall be checked when user's operation tries to read one or more properties of a particular database object being classified according to database object class.

Note that it does not intends to control operations that consumes all the referenced properties without disclosure. In other words, it needs to be checked on SELECT FROM system catalogs, but internal syscache reference is not a case, for example.

setattr

It shall be checked when user's operation tries to modify one or more properties of database object being classified according to database object class.

relabelfrom

It shall be checked towards the older security label when user's operation tries to change security label of a particular database object being classified according to database object class.

relabelto

It shall be checked towards the newder security label when user's operation tries to change security label of a particular database object being classified according to database object class.

db_database class

An object of db_database class represents an entry of pg_database system catalog.
Its default security label shall inherit the label being assigned on the database used as template of new one, unless type_transition rule did not here.

permissions

common permissions

This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.

access

It shall be checked when client tries to connect to the database. It is an equivalent check with DATABASE CONNECT permission in database acl.

db_schema class

An object of db_schema class represents an entry of pg_namespace system catalog.
Its default security label shall inherit the label being assigned on the database that owns the schema, unless type_transition rule didn't here.

permissions

common permissions

This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.

search

It shall be checked when client tries to solve object name underlying the schema.

It is an equivalent check with SCHEMA USE permission in database acl, thus client cannot lookup any object underlying the schema without this permission.

add_name

It shall be checked when client tries to add an object name entry into a particular schema, due to object creation, rename or set schema

remove_name

It shall be checked when client tries to remove an object name entry into a particular schema, due to object deletion, rename or set schema

db_table class

An object of db_table class represents an entry of pg_class system catalog with RELKIND_RELATION.
Its default security label shall inherit the label being assigned on the schema that owns the table, unless type_transition rule didn't here.

Some other catalogs that save properties of relations externally, like pg_trigger, pg_index and so on, are dealt as properties of the table being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.

permissions

common permissions

This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.

select

It shall be checked when client tries to reference the table. Not only SELECT command, it requires any operations that may read contents of tables, such as WHERE clause of DELETE, reference as a part of new value in UPDATE, and so on.

Unlike database acl, it shall be also checked on child relation when inheritance parent is accessed.

update

It shall be checked when client tries to update rows of tables.

Unlike database acl, it shall be also checked on child relation when inheritance parent is accessed.

insert

It shall be checked when client tries to insert new rows into tables.

delete

It shall be checked when client tries to delete rows of tables, including case of TRUNCATE command.

Unlike database acl, it shall be also checked on child relation when inheritance parent is accessed.

lock

It shall be checked when client tries to acquire table locks with neither read nor write contents of table.

db_sequence class

An object of db_sequence class represents an entry of pg_class system catalog with RELKIND_SEQUENCE.
Its default security label shall inherit the label being assigned on the schema that owns the sequence, unless type_transition rule didn't here.

Some other catalogs that save properties of relations externally, like pg_trigger, pg_index and so on, are dealt as properties of the table being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.

permissions

common permissions

This object class has common permissions also

get_value

It shall be checked when client tries to get current value of a sequence.

next_value

It shall be checked when client tries to increment value of a sequence.

set_value

It shall be checked when client tries to set arbitrary value onto a sequence.